Coronavirus contagion leveraged by criminals and APTs

State-sponsored groups and cybercriminal gangs continue to benefit from the global confusion and concern surrounding the coronavirus. Due to the contagious nature of the virus it is causing more and more people to work from home, dramatically increasing the threat surface with potential victims leaving home devices unprotected by corporate detection systems. The World Health Organisation (WHO) has now issued a global warning for the rise in coronavirus-themed phishing emails impersonating the organisation. As COVID-19 spreads around the world, the Global Business Travel Association (GBTA) stated the virus could cost the tourism industry some $47 billion per month. Airlines and package tour operators agree, with the International Air Transport Association (IATA) predicting almost $30 billion in lost flight sales. 

There are fears that China’s economy will contract by more than forecast in the first quarter after the country’s manufacturing sector reported record low activity for February, domestic car sales in China have plunged, leading to sales online being pushed. Japan’s Olympics minister also said it may be possible to delay the summer games to later in 2020 to head off the virus. The Bank of Japan’s Governor, Haruhiko Kuroda, also made an emergency statement following a week of turmoil in markets over the economic implications of coronavirus.

The India-linked APT, Patchwork, was the first nation state-level group to have referenced the virus in phishing documents for cyber-espionage against the Chinese. Security researcher @cybersloth, also found the Chinese state-sponsored group, MustangPanda, leveraging the virus in attacks too. This was potentially the first publicly documented instance of the Chinese government itself leveraging the coronavirus as a means of infiltrating its targets.

A new Emotet malspam campaign was one of the first to start is using infection reports for the novel Coronavirus. It targeted prefectures from Japan, including Gifu, Osaka, and Tottori. The spam emails impersonate official notifications from disability welfare service providers and public health centres, with attachments claiming to contain details about ways to avoid infection. These are sent from email accounts previously compromised by Emotet.

The South Korean government has additionally now warned the public of a steep rise in SMS phishing campaigns using misinformation about the ongoing coronavirus outbreak as a lure. 9,688 of these messages were found as of 15 February, claiming to provide free masks for people, or impersonating companies which have experienced delays because of the virus, in order to get users to disclose personal information. Another 165 phone scams, claiming to be health authorities, trying to steal money and information from people were also discovered. North Korean APT specialist, @cyberwar_15, has also indentified the Kimsuky APT leveraging the virus in malspam too against South Korean targets.

Security researcher @JCyberSec found coronavirus phishing landing pages that are being used to harvest the credentials of Huawei employees. Pivoting from the IP address hosting the phishing landing page revealed malicious domains for other companies in Asia including HSBC. Notably, the IP address used for this phishing page in Asia was in AFRINIC IP space. This could be linked to the infamous $50 million African IP address heist.

In Europe, the European Central Bank (ECB) said it would restrict all non-essential travel until April 20. Infections in Italy jumped 50% in a day, recently, a dozen new cases were reported in the UK and the first infections were detected in Germany. In the cyber realm, a new malspam campaign has been launched against Italy with the coronavirus (also known as COVID-19) being leveraged in attacks. The malware samples being delivered in the spam emails have been observed as TrickBot and the Ostap Trojan downloader. Italy's Computer Emergency Response Team (CERT-PA) issued a security advisory after TGSoft also identified more of these malicious documents and indicators linked to the Ostap loader targeting Italian victims. The documents were titled " Coronavirus: Important information on precautions " and sent from a doctor allegedly connected to the World Health Organization.

@MalwareHunterTeam has also discovered more coronavirus lures with documents entitled ‘CDC-Health-INFO’ and ‘COVID-19-REPORT-SAFETY’ impersonating the Centers for Disease Control and Prevention (CDC), which if opened deliver LokiBot. Kaspersky Labs independantly identified the US CDC being leveraged in malspam, with phishing emails distributed from a convincing domain, ‘’. The legitimate domain is ‘’. Other malware such as NanoCore, Parallax RAT, Remcos RAT, AgentTelsa, LokiBot, Emotet, Ryuk ransomware, and the Grandoreiro banking Trojan have all been pushed in malicious emails using coronavirus as lures.

Chinese security researchers at @RedDrip7 found phishing emails have been impersonating the Center for Public Health of the Ministry of Health of Ukraine. This campaign, alongside other fake news, has stoked fear amongst Ukrainian citizens. This was exacerbated by a plane carrying evacuees from China. This sparked violent protests and clashes with riot police. Protesters smashed the windows of buses transporting evacuees and set fire to makeshift barricades. Some protestors blocked the entrances to hospitals, fearing that the patients would infect them and their children. The phishing campaign originated from outside the country, although the exact location is unknown. This panic rose despite repeated warnings about its inauthenticity from both the Ukrainian Ministry of Health and other government sources. Ukraine is under constant cyber bombardment from Russian state-sponsored APTs such as Gamaredon, Sandworm, or FancyBear. It is possible, therefore, that this campaign is being pushed by one of these GRU-backed hacking groups.

The outbreak of the coronavirus could not have happened at a worse time for the Chinese. Chinese New Year is the peak time for travel across the country as families reunite for the Spring Festival. Employees are working at home across most of China and the country is currently in lock-down with businesses in the retail, hospitality, and entertainment sectors remaining closed to prevent the spread of coronavirus. This epidemic is causing more and more people to work from home, which threat actors have realised, dramatically increasing the threat surface with potential victims using home devices and leaving much work unprotected by their usual well-protected corporate detection systems like FireWalls, AV, IDS/IPS, and email gateways.

Some of the most dangerous malware, with very well-established groups developing them  have all been pushed in malicious emails using coronavirus as lures and more will more than likely continue to do so as the news cycle continues to ramp up the hysteria. State-sponsored groups and cybercriminal gangs continue to benefit from the global confusion and concern surrounding coronavirus. They will be aiming to maximise their returns by using the glut of information pertaining to COVID-19 in the media - alongside government warnings. Organisations are reminded to heed the warnings about virus-related emails and should remind personnel to remain on high alert for scams.

Updated on 10 March 2020:
The UK National Fraud Intelligence Bureau (NFIB) issued an urgent warning that fraudsters have rapidly exploited the coronavirus outbreak, with the now typical fake “Centers for Disease Control” emails and other scams already pilfering £800,000 out of the UK public. 21 cases of fraud involving coronavirus in February were reported with ten of the frauds involving desperate buyers of face masks, with one person reportedly paying £15,000 for masks that were never delivered.

The NFIB also said in a statement that fraudsters “claim to be able to provide the recipient with a list of coronavirus infected people in their area. In order to access this information, the victim needs to click on a link, which leads to a malicious website, or is asked to make a payment in bitcoin.” It added that it expected to receive many more reports of fraud as the coronavirus spread globally.

Security researchers from CheckPoint have reported that from their monitoring over 4,000 coronavirus-related domains registered globally. Out of these websites, 3% were found to be malicious and an additional 5% are suspicious. Coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period. 

Other news features:
  • Formbook delivered in fake coronavirus emails that impersonate the WHO (source)
  • AgentTesla pushed in a new campaign promoting conspiracy theory-based fears around "unreleased cures" for the coronavirus (source)
  • LokiBot Trojan distributed via Corona-related click-bait link which reads: “BREAKING NEWS: Military Source Exposes Shocking TRUTH About Coronavirus and the 1 thing You Must Do Before It’s TOO LATE” (source)
  • Hancitor malware delivered via CIGNA health insurance for Coronavirus-themed spam emails (source)
  • BlackWater malware uses "Wessex Learning Trust" document as a decoy with Coronavirus advise themes. (source)
Whilst monitoring the malware campaigns that have leveraged the coronavirus in some capacity it has demonstrated all the different tactics, techniques, and procedures (TTPs) that all kinds of threat actors have at their disposal. So far, we have seen the classical malicious spam emails which are distributed en masse, but also fraudulent SMS messages (also known as SMiShing), malicious documents shared via the Chinese chatting app ‘WeChat’ (Weixin), credential harvesting landing pages, and malvertising (malicious adverts that redirect to drive-by downloads). All these techniques are useful to monitor and understand what we, as security professionals and threat intelligence analysts, are up against and what to look out for in the future. The threat actors are going hell-for-leather to fraud victims and distribute their malware while the coronavirus or COVID-19 still grasps the general population’s attention. 

I believe we can expect another interesting revelation before this epidemic - and so-called infodemic - subsides.

Updated on 14 March 2020: 
The world is waking up to ransomware attacks on hospitals during the coronavirus/COVID-19 pandemic. It may have seemed inevitable for some, but this threat comes at a very trying time for society as a whole. Ruthless, opportunistic cybercriminals are beginning to take endpoints and servers offline with ransomware attacks against our hospitals. 

ZDNet has reported on the Brno University Hospital, Czech Republic has been struck by file-encrypting ransomware which has knocked its COVID-19 testing lab offline . This comes right in the middle of a growing number of infections in the local area. The hospital was forced to shut down its entire IT network during the incident, and two other of the hospital's branches, the Children's Hospital and the Maternity Hospital, were also impacted. (source)

A public-health agency in central Illinois has had to retreat to social media to update residents about the ongoing spread of the new coronavirus after a ransomware attack disabled its main website and briefly cut off employees from medical files. The ransomware has been identified as NetWalker also known as “Mailto” or “Kazakavkovkiz”. (source)

Fake websites pretending to promote the system optimization software and utilities from WiseCleaner have been observed delivering coronavirus-themed ransomware. These sites distributed a file called ‘WSHSetup.exe’ that downloaded the ransomware and a password-stealing Trojan called Kpot. Furthermore, @VK_Intel investigated these malware samples found that the Coronavirus ransomware also contained Master Boot Record (MBR) wiping capabilities and would check the target’s language settings, if the system was in Russian it would stop the attack. (source)

DomainTools has identified a malicious domain was registered which referenced the coronavirus. The website ‘coronavirusapp[.]site’ offered an Android app with in-depth information on Coronavirus infections - including a live heat-map displaying how many countries have been affected so far. However, if a victim downloads the app, their devices are then locked with a new strain of ransomware called “CovidLock”. (source)

This ransomware, does not encrypt files but locks the targeted phone’s screen and displays this ransom note:

Updated on 16th March 2020: 

With the coronavirus causing public distress, various COVID-19 tracking apps are appearing on app stores, which can contain Cerberus, the Android banking Trojan. RedDrip7 has uncovered an increased volume of the previously elusive banking Trojan. Cerberus currently targets Android mobiles, conceals itself on the victim’s device, and steals payment information or credentials for online banking. Cerberus ends up on users’ devices in a number of ways. This includes via URLs to sites hosting malicious APK’s (Android files) with the Trojan inside, or via fake applications on the Google Play Store or a third party app store. Cerberus indicators of compromise (IOCs) have been found targeting China, Turkey, and the United Kingdom. (source 1, source 2)

BAE Systems has also created a useful infographic to track the ongoing Coronavirus-themed phishing campaigns and who’s been behind them:

Updated on 18th March 2020:

There have been interesting disinformation campaigns circulating in the US this week. The US Health & Human Services was targeted with a huge DDoS attack but the site thankfully has Akamai DDoS protection and absorbed it. (source)

Then the US national security council noticed that SMS messages, spam emails, and social media posts about an 'imminent nationwide quarantine' began to circulate at the same time.

DDoSing the HHS website would have meant that confused citizens could not find the truth easily, causing further disruption.

There are likely to be more for disinformation campaigns in this so-called 'info-demic'. Nation state threat actors are at play here. Especially with 2020 Presidential election coming up. It is expected to see some FancyBear bots, events, and the like.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks